A New Jupyter Malware Version is Being Distributed via MSI Installers

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,275
Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.

The new delivery chain, spotted by Morphisec on September 8, underscores that the malware has not just continued to remain active but also showcases "how threat actors continue to develop their attacks to become more efficient and evasive." The Israeli company said it's currently investigating the scale and scope of the attacks.
Running the MSI payload leads to the execution of a PowerShell loader embedded within a legitimate binary of Nitro Pro 13, two variants of which have been observed signed with a valid certificate belonging to an actual business in Poland, suggesting a possible certificate impersonation or theft. The loader, in the final-stage, decodes and runs the in-memory Jupyter .NET module.

"The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating," Morphisec researcher Nadav Lorber said. "That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions."